Skip to content

Use Lodash `escape` as a small security enhancement

Thomas Randolph requested to merge tor/maintenance/escape-some-strings into master

What does this MR do and why?

There is one place that the user's username is used in the users_select code.

This MR uses Lodash's escape to prevent any potentially manipulative content from being rendered directly into the UI.

Caveats

  1. username should never have dangerous content, because saving it isn't possible with any special characters
  2. All the rest of the data is either already passed through escape or <%- %> (which itself uses escape).

Bottom Line

There's no security issue here as far as I can tell, but I'm adding escape to the one place that doesn't seem to be escaped on the off chance that a username somehow has malicious content.
This is a "maybe we can protect against a future mistake" addition.

Screenshots or screen recordings

There's no UI change with this MR.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Thomas Randolph

Merge request reports